Support

Cyber security testing goes automated

Outrunning the Bear

Unify Issue 5

It won’t happen to us. If ever there’s a text-book example of giving a hostage to fortune, then these five fateful words are it. Fact is, if it hasn’t already happened, every company will suffer a cyber attack, and probably sooner rather than later.

Seven in ten large businesses reported a data breach or attack on their systems over the past 12 months.

It’s not good for a business to have to admit that it got caught with its IT pants down.

Even though they have been targeted, some companies are able to avoid breaches becoming common knowledge.

However, when consumers are affected, disclosure of a breach is often unavoidable, as attacks on TalkTalk, the NHS, Maersk, Ticketmaster, Equifax and now British Airways show.

A successful attack can bring down even the most robust of companies.

The financial cost of disinfecting systems and plugging the security holes exposed by a breach can be significant, but they are likely to pale into relative insignificance against the fines levied under the newly-in-force General Data Protection Regulation (GDPR) if a breach is proven to have been the result of inadequate defences and policies. Add to that the damage to customer confidence and the resultant loss of revenues, and a successful attack can create a perfect storm that brings down even the most robust and long-established of companies.

Cyber crime cost UK business £21 billion in 2017

What’s the problem?

Chief Information Security Officers need no lectures on these risks; they are paid to inoculate their companies against such events.

The problem many CISOs have is carrying boardroom colleagues along with them on the journey of understanding the threats, and agreeing to mitigate effectively against them. Inevitably the discussion turns to money – and then the push-backs begin.

Part of the problem is that cyber crime is dynamic:

Not only does the nature of the threat change constantly as perpetrators latch on to new techniques or turn their attention to newly-found weaknesses, but in dynamic enterprises systems are in a constant state of change too.

For many enterprises once a year pen testing is simply inadequate.

Gamma CISO Brian Mulligan

Most organisations, large or small, are unable to address the basics of cyber security:

Pen testing doesn’t scale, is poor value

Most are unaware of security posture, unable to effectively patch or configure their networks

They are often caught out by common forms of commodity cyber crime

Common forms of cyber attacks account for around 80% of economic impact

Large organisation are unable to address third-party cyber security risks:

Mulligan observes:

The level of risk is quite different for enterprises operating in most other sectors, and boards need to keep in mind that spend on evaluation and mitigation, even with the advent of GDPR, is required to be proportionate.

Mulligan agrees with the notion that, for many enterprises, once a year pen testing is simply inadequate, either to ensure that systems and date are appropriately protected or to demonstrate to the Information Commissioner that proportionate evaluation and protection measures had been taken.

However, with the advent of automated penetration testing tools such as CyberScore from Gamma, companies can afford to carry out regular comprehensive testing.

That in turn enables properly informed evaluation of threats and weaknesses to be made, and defences against the prevailing threats to be kept not just fully up to date, but verifiably up to date.

In 2016 UK businesses suffered 2.4 million successful breaches

Mulligan explains you don’t have to outrun the bear, but only run faster than the guy next to you.

Most malware and other attacks are people using old technology to look for the low hanging fruit; companies that are vulnerable because they haven’t done the basics. If you have, they’ll move on somewhere else.

Automated tools can be a huge help to:

Get leadership on board.

Establish a proper cyber-aware culture throughout an organisation.

And if the ICO do come knocking at your door, you will be able to clearly demonstrate that your organisation has taken steps to improve security, and that you’ve not been sitting on your laurels.